08-01-2018 05:42 AM - edited 03-11-2019 01:47 AM
Hi
I'm working on a ISE/Trustsec deployment for wired devices using ibns 2.0. The dev environment is working well:
I'm now looking at how to handle a critical authentication event where ISE becomes unavailable:
The problem I'm seeing is that if ISE is unavailable for long enough and the switch's CTS environmental data times out, then the switch loses the SGACLs/SGTs required to enforce policy for the ISE authenticated devices with their dynamically assigned SGTs.
I thought the old legacy 802.1x command "authentication event server dead action reinitialize vlan X" might help reinitialize authenticated clients when a critical authentication event occurs but the bug CSCul89568 (and my testing) shows that this is only possible if periodic authentication is enabled.
I created a simple EEM script below which clears all authenticated sessions when RADIUS becomes unavailable. Clients are then authorised by the switch with statically assigned SGTs (enforcement is done through static SGACLs).
event manager applet CRITICAL-CLEAR-SESSIONS
event syslog pattern "RADIUS-4-RADIUS_DEAD" maxrun 5
action 1.0 cli command "enable"
action 1.1 cli command "clear access-session"
Can anyone suggest a better way of dealing with this kind of event? I could increase the cts environmental data timeout or enable periodic authentication.
Thanks
Andy
04-04-2019 01:01 AM
Hi,
have you tried enabling cts cache to store the environment data and SGACL into flash. This way the last entry into cache before ISE dies will be used.
04-04-2019 01:59 AM
Hi David
Thanks for the response. CTS cache isn't supported on Catalyst 3ks so that wasn't an option.
Currently, I have periodic authentication enabled for all clients - during a Critical Authentication event, all clients are re-authenticated before the cts environment data times out.
Andy
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide